If I access some of the secured content I get redirected to CAS login. After authentication I'm redirected back to the secure url I tried to access.

On every page I need to add "Log in" link that does the same thing. Where should this link point to? I tried ${cas.app.url}/login?service=${application.stack.hostname}/ctx/j_spring_cas_security_check but that does not seem to work.

Of course all the properties are replaced with appropriate full hostnames :)

If I understand what you are looking for you should just be able to point them to ${cas.app.url}/login. Leave out the service parameter. This will take them to the login page of your cas server which will authenticate them to all of your secure services.